Response codes

Semantic HTTP response code are used to indicate the status of the search:

Code

Description

200

Ok — everything worked and there's a string array of pwned sites for the account

400

Bad request — the account does not comply with an acceptable format (i.e. it's an
empty string)

404

Not found — the account could not be found and has therefore not been pwned

SSL

The API must be invoked over HTTPS. Any requests over HTTP will result in a 301 response with
a redirect to the same path on the secure scheme.

Cross-origin resource sharing (CORS)

CORS is fully
supported for all origins — you can hit the API from websites on any other domain.

Authentication

There isn't any.

Rate limiting

There isn't any of that either.

Abuse

There's not much point; if you want to build up a treasure trove of pwned email addresses or
usernames, go and download the dumps (they're all just a Google search away) and save
yourself the hassle and time of trying to enumerate an API one account at a time.

Notify me

Get notified when future pwnage occurs and your account is compromised.

Just to make sure you're not a robot, please solve this puzzle first:

You've just been sent a verification email, all you need to do now is confirm your
address by clicking on the link when it hits your mailbox and you'll be automatically
notified of future pwnage. In case it doesn't show up, check your junk mail and if
you still can't find it, you can always repeat this process.